Lets take an initial look at the network config of the virtual environment.
You can see there is just a single network, and that network can talk to the outside world. I've only got 4 IP's on this network, plus I want some form of firewall in front of all Windows machines. So firstly I renamed the "VM Network" to "FrontNet" and enabled promiscuous mode setting it to allow connections so that whatever I place on this network has full ability for in and outbound communications with the rest of the Internet.
Next, I went through the add network wizard, creating a vSphere standard switch, and un-ticking all physical network adaptors. This means all machines on this network have no ability to communicate with the Internet (at least via vmware). I labelled this network "BackNet". The idea being that I can deploy virtual appliance firewalls, giving them an interface on both networks. (The firewalls will be the only machines with interfaces on both BackNet and FrontNet). I can then configure the VM's on the Backnet to have a default gateway of the internal interface of the firewall(s), forcing all outbound traffic through the firewall(s) where I can control what goes in and out.
You'll notice I used the term firewall(s), my general plan is to try and follow as many best practices as possible with this lab, apart from when doing so would incur additional costs. A number of firewall appliances have the ability to provide high availability by deployment in an active/passive configuration. However as the focus of this lab is Microsoft software, I'll probably deploy a single firewall for now, and possibly look at making it HA at a later point.
Once this configuration was complete, the network configuration of the lab appeared as below: